Soho
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This payment skill is mostly purpose-aligned, but it needs careful review because it can authorize or broadcast wallet payments while its invocation, credential, and provenance metadata are inconsistent.
Install only if you understand that this skill can initiate wallet payment flows. Before use, confirm the publisher/version, fix the missing config import, ensure model/autonomous invocation is disabled or always confirmed, and use a trusted remote signer with strict spending limits instead of a raw private key.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent may have a path to invoke a high-impact payment workflow unless the platform separately enforces confirmation every time.
The skill performs a financial/payment action, but the registry flag does not disable autonomous model invocation, which conflicts with the manual-only safety posture described in the skill.
Description: Initiate payments on the SOHO Pay credit layer using EIP-712 signatures. ... disable-model-invocation: false (default — agent can invoke autonomously, this is normal)
Disable model/autonomous invocation for this skill at the registry level, or require an explicit human confirmation prompt immediately before any signing or transaction broadcast.
Providing these credentials could allow the skill or configured signer service to authorize payment-related signatures and, in some modes, broadcast transactions.
The skill can use a wallet-signer bearer token or raw private key, but the registry requirements list no env vars and no primary credential, under-declaring sensitive delegated wallet authority.
"SIGNER_SERVICE_AUTH_TOKEN": { "description": "Bearer auth token for the wallet signing service. Optional but recommended.", "required": false, "sensitive": true }, ... "SOHO_DEV_PRIVATE_KEY": { "description": "Raw private key for local signing...", "required": false, "sensitive": true }Declare these credentials in registry metadata, prefer a scoped remote signer with spending limits, and avoid raw private keys except in isolated testnet/dev environments.
Users may not be able to confidently verify which publisher or version they are installing.
These embedded metadata values differ from the registry metadata shown for owner, slug, and version, creating a provenance/version mismatch for a payment-capable skill.
"ownerId": "kn781e5mn4ekr955d0205f8tt581e7sx", "slug": "soho", "version": "1.0.1"
Reconcile registry metadata, _meta.json, skill.json, and package.json before installation, especially because the skill handles payment authority.
The skill may fail at runtime or may not be the exact package the documentation expects.
The manifest includes src/signer/config.js but not src/config.js, so the runnable package appears inconsistent or incomplete.
const { loadConfig } = require("../src/config");Fix the require paths or include the missing file, then re-review the complete runnable package.
The remote signer can see payment authorization details such as payer, merchant, asset, amount, and nonce, and the bearer token may grant access to signing services.
The skill sends EIP-712 payment details and an optional bearer token to a user-configured remote wallet signer, which is expected for this design but sensitive.
const url = `${config.walletSignerServiceUrl}/sign-eip712`; ... h["Authorization"] = `Bearer ${config.signerServiceAuthToken}`; ... body: JSON.stringify({ domain, types, message })Use only a trusted wallet-signing endpoint, scope its token and signing policies tightly, and verify the typed data before approving signatures.